MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5ac541a4baee69325c9f73ba6fe8e93d74fe3c302708373fab4fc0a55e3745b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	b5ac541a4baee69325c9f73ba6fe8e93d74fe3c302708373fab4fc0a55e3745b
SHA3-384 hash:	bc93471a20fcef096cb1456d6d046f2177468f291a9dad04626949f144b4e8b82da42d8e67d495234230bd7cbefdc34c
SHA1 hash:	5fc3105a3a5346b76dd879f4af88d275376207c0
MD5 hash:	f71192136c55245729661eb552eaaf37
humanhash:	sink-ink-edward-carolina
File name:	Rmittance Advice 017700 9001.exe
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	1'013'248 bytes
First seen:	2020-12-05 15:25:18 UTC
Last seen:	2020-12-05 16:41:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:6h3BbOWnDoM/9I3oNwbityIk4wpJMwf6MWcZAl:03xnDX6Gwb2y14Me46w4
Threatray	577 similar samples on MalwareBazaar
TLSH	A32512322225FFA9EA7A4FF4A56426441FB525339A71F35CBD8610CE30A3B40AE45D73
Reporter	abuse_ch
Tags:	exe MassLogger

abuse_ch

Malspam distributing MassLogger:

HELO: vm1621512.nvme.had.ytbanabiosa.com
Sending IP: 185.244.216.74
From: impexland@banabiosa.com
Subject: Payment For Outstanding Invoices
Attachment: Rmittance Advice 017700 9001 PDF.R01 (contains "Rmittance Advice 017700 9001.exe")

MassLogger SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

364

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Rmittance Advice 017700 9001.exe

Verdict:

Malicious activity

Analysis date:

2020-12-07 08:38:12 UTC

Tags:

trojan stealer masslogger evasion

Link:

https://app.any.run/tasks/ca0ab154-0bdd-4d2d-bc8e-59dd7312283f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

MassLogger

Link:

https://www.capesandbox.com/analysis/106884/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.dc.23964.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Setting a global event handler for the keyboard

Result

Gathering data

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/556305

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b5ac541a4baee69325c9f73ba6fe8e93d74fe3c302708373fab4fc0a55e3745b/

Threat name:

ByteCode-MSIL.Trojan.MassLogger

Status:

Malicious

First seen:

2020-12-05 09:38:48 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wwwfigslv3tjgjoj6452n7uosplu7y6dajyig472wt6auvpdornq._file

Verdict:

malicious

Label(s):

masslogger

MassLogger

657ce0145781e930d93e0cf3953390f98f22323be721a6d44db6342a44aea27f

MassLogger

6bcaa05bb24f934bc0b68c8475610a3a0c1877e279ab50d9fe75144cb369fd1e

MassLogger

6cb35d59850a6e43f2b6cfe1de03a41d81ab9bc07bfdb1b4b1f3cadba53d3086

MassLogger

7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5

MassLogger

84ff047bcfc4af6e249a5b466477d1b72cf261fc5a40752a62a149158118224e

MassLogger

b8ea60675bf0fd459aebe9511edd1b7757972a41bb61a57e9ba66f23d4b38a3e

MassLogger

d6b834570825a606942ff096f5ad3df33f58082be5a68bab447bc9af4b114e95

MassLogger

ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d

MassLogger

f925d649aee4b92c974778fd87576229f44972c23df41df5aacdd9dc55fd2c45

MassLogger

+ 567 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger spyware stealer

Link:

https://tria.ge/reports/201205-pxkzf782re/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

MassLogger

MassLogger Main Payload

Unpacked files

SH256 hash:

c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94

MD5 hash:

a60401dc02ff4f3250a749965097e13f

SHA1 hash:

3f22d28fd765f831084cb972a8bd071e421c26a1

Link:

https://www.unpac.me/results/7b0e8e6a-c512-43c3-8b28-125c89c1bf78/

SH256 hash:

c8b06c70761caadc61d4c4eeeebec7a50cf782c89c250d4526f1b3d5e0e54db2

MD5 hash:

bcf9effe441c0a817b73595113ad079c

SHA1 hash:

6561a25b4c747f2521cec627d67c730a71e96468

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/7b0e8e6a-c512-43c3-8b28-125c89c1bf78/

SH256 hash:

815f331a740693a74c0ca5a789eb62f54b6b6cabac98005eb0724bf3878cba2c

MD5 hash:

ff87e04dcad9b235b2efad6e4581a2a9

SHA1 hash:

c8006ff86b0bcbc52b9dd810a6b3b2b266587d8b

Link:

https://www.unpac.me/results/7b0e8e6a-c512-43c3-8b28-125c89c1bf78/

SH256 hash:

b5ac541a4baee69325c9f73ba6fe8e93d74fe3c302708373fab4fc0a55e3745b

MD5 hash:

f71192136c55245729661eb552eaaf37

SHA1 hash:

5fc3105a3a5346b76dd879f4af88d275376207c0

Link:

https://www.unpac.me/results/7b0e8e6a-c512-43c3-8b28-125c89c1bf78/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/b5ac541a4baee69325c9f73ba6fe8e93d74fe3c302708373fab4fc0a55e3745b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MassLogger Create hunting rule
Author:	kevoreilly
Description:	MassLogger

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf